Add 1.6.0->1.7.0 upgrade guide; Focal prep guide

docs/index.rst

@@ -92,10 +92,10 @@ anonymous sources.
    :name: upgradetoc
    :maxdepth: 2
 
+   upgrade/focal_prep.rst
+   upgrade/1.6.0_to_1.7.0.rst
    upgrade/1.5.0_to_1.6.0.rst
-   upgrade/1.4.1_to_1.5.0.rst
-   upgrade/1.4.0_to_1.4.1.rst
-
+
 .. toctree::
    :caption: Developer Documentation
    :name: devdocs

docs/upgrade/1.5.0_to_1.6.0.rst

@@ -82,7 +82,12 @@ graphical prompts to update to the latest version.
 V3 Onion Services
 -----------------
 
-Due to security and anonymity improvements in v3 of the onion services protocol, support for v2 onion services will be removed from SecureDrop in February 2021. If your SecureDrop instance is still using 16-character v2 onion URLs, you should migrate to v3 onion services at the earliest opportunity, and contact us via the Support Portal if you require assistance doing so. For more information, see :doc:`our migration documentation <../v3_services>`. 
+Due to security and anonymity improvements in v3 of the onion services protocol,
+support for v2 onion services will be removed from SecureDrop in March 2021. If
+your SecureDrop instance is still using 16-character v2 onion URLs, you should
+migrate to v3 onion services at the earliest opportunity, and contact us via
+the Support Portal if you require assistance doing so. For more information,
+see :doc:`our migration documentation <../v3_services>`.
 
 Getting Support
 ---------------

docs/upgrade/1.4.1_to_1.5.0.rst → docs/upgrade/1.6.0_to_1.7.0.rst

@@ -1,12 +1,21 @@
-Upgrade from 1.4.1 to 1.5.0
+Upgrade from 1.6.0 to 1.7.0
 ===========================
 
+.. important::
+
+  Please see the :ref:`key reminders <key_reminders>` below regarding critical
+  migrations of your SecureDrop servers that must be completed before
+  **April 30, 2021** to keep your instance operational.
+
 Automatic server upgrades
 -------------------------
 As with previous releases, your servers will be upgraded to the latest version
 of SecureDrop automatically within 24 hours of the release.
 
-Updating Workstations to SecureDrop 1.5.0
+
+.. _updating_workstations_170:
+
+Updating Workstations to SecureDrop 1.7.0
 -----------------------------------------
 
 Using the graphical updater
@@ -16,7 +25,7 @@ the *SecureDrop Workstation Updater* will alert you to workstation updates. You
 must have `configured an administrator password <https://tails.boum.org/doc/first_steps/welcome_screen/administration_password/>`_
 on the Tails welcome screen in order to use the graphical updater.
 
-Perform the update to 1.5.0 by clicking "Update Now":
+Perform the update to 1.7.0 by clicking "Update Now":
 
 .. image:: ../images/securedrop-updater.png
 
@@ -36,7 +45,7 @@ update by running the following commands: ::
   git fetch --tags
   gpg --keyserver hkps://keys.openpgp.org --recv-key \
    "2224 5C81 E3BA EB41 38B3 6061 310F 5612 00F4 AD77"
-  git tag -v 1.5.0
+  git tag -v 1.7.0
 
 The output should include the following two lines: ::
 
@@ -47,9 +56,9 @@ Please verify that each character of the fingerprint above matches what is
 on the screen of your workstation. If it does, you can check out the
 new release: ::
 
-    git checkout 1.5.0
+    git checkout 1.7.0
 
-.. important:: If you do see the warning "refname '1.5.0' is ambiguous" in the
+.. important:: If you do see the warning "refname '1.7.0' is ambiguous" in the
   output, we recommend that you contact us immediately at [email protected]
   (`GPG encrypted <https://securedrop.org/sites/default/files/fpf-email.asc>`__).
 
@@ -60,6 +69,7 @@ Finally, run the following commands: ::
 
 Upgrading Tails
 ---------------
+
 If you have already upgraded your workstations to the Tails 4 series, follow the
 graphical prompts to update to the latest version.
 
@@ -77,29 +87,48 @@ graphical prompts to update to the latest version.
 
 .. include:: ../includes/always-backup.txt
 
-Troubleshooting Kernel Issues
------------------------------
-SecureDrop 1.5.0 includes a kernel update on the *Application* and *Monitor
-Servers*, from version 4.14.175 to version 4.14.188. As with all kernel updates,
-we have extensively tested this update against
-:ref:`recommended hardware <Specific Hardware Recommendations>`.
+.. _key_reminders:
 
-If you are running SecureDrop on hardware that is not officially supported, you
-may encounter compatibility issues with the new kernel. For example, the servers
-may not boot, or you may lose network connectivity. If this happens, you can
-temporarily downgrade to the previous kernel version.
+Migration to v3 onion services
+------------------------------
 
-.. important::
+Support for v2 :ref:`onion services <glossary_onion_service>` is being phased
+out and will be completely removed as part of the transition to Ubuntu 20.04.
+If you are not already running v3 onion services (easily recognizable by their
+56 character ``.onion`` addresses), please complete the migration at your
+earliest convenience to keep your instance running. See our
+:doc:`upgrade guide <../v3_services>` for details.
+
+.. note::
+
+  If you have previously disabled v2 onion services, due to a bug that was fixed
+  in SecureDrop 1.7.0, SSH access via v2 onion services may still be enabled,
+  and you may receive OSSEC alerts warning you that v2 onion services are still
+  running.
+
+  To fully disable v2 onion services:
+
+  1. Make sure that your *Admin Workstation* is up-to-date by following the
+     :ref:`earlier steps <updating_workstations_170>`.
+  2. Run ``./securedrop-admin sdconfig`` from the ``~/Persistent/securedrop``
+     directory and confirm that all configuration settings are correct.
+     In particular, make sure that v2 onion services are disabled, and
+     v3 onion services are enabled.
+  3. Re-run the install playbook via ``./securedrop-admin install``.
+
+  We apologize for the inconvenience. Please contact us if you have any
+  questions about this process.
+
+Preparing for Ubuntu 20.04
+--------------------------
+The current server operating system, Ubuntu 16.04, will no longer receive
+security updates after April 30, 2021. Support for Ubuntu 20.04 is planned
+for the SecureDrop 1.8.0 release, scheduled for March 2, 2021. We recommend
+that you schedule a two-day maintenance window **between March 9 and April 30**.
 
-   To ensure continued secure operation of your SecureDrop instance, it is of
-   critical importance to resolve any compatibility issues with the new kernel
-   as quickly as possible. If you encounter problems with this update, please
-   get in touch with us urgently, so we can help you run the latest supported
-   kernel version.
+Before then, we encourage you to take :doc:`preparatory steps <focal_prep>`
+to ensure that the migration will go smoothly.
 
-For information on how to downgrade to the previous kernel, and for additional
-troubleshooting information, please see our :doc:`Kernel Troubleshooting Guide <../kernel_troubleshooting>`.
-
 Getting Support
 ---------------